- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 17 Feb 2012 15:19:33 -0800
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Henrik Nordström <henrik@henriknordstrom.net>, Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
2012/2/17 Martin Thomson <martin.thomson@gmail.com>: > 2012/2/15 Henrik Nordström <henrik@henriknordstrom.net>: >> tis 2012-02-07 klockan 08:38 -0800 skrev Martin Thomson: >> >>> There isn't a security problem. X has the information and could >>> forward to Y itself. >> >> No it doesn't. Y may require authentication / session cookies / IP based >> access lists etc which X can not provide on it's own. > > Damn, I can be dense sometimes. Obviously, if I can convince you to > send me a POST that says "transfer $10 to acct number X" (which is > trivially easy) and then redirect you to your bank, if you have an > open session and the bank doesn't check Referer (though that wouldn't > necessarily help), you've just made an easy $10. > > Are there any measures that browsers could take to limit this sort of > thing? You're describing a CSRF attack. There is a moderate size literature about possible browser solutions to CSRF, but none of them have caught on. In the meantime, web site defend themselves against this attack using secret tokens. For more details, please see <http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf>. Adam
Received on Friday, 17 February 2012 23:20:36 UTC